Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual page 159

The transport VR information is required, although its explicit configuration is not.
If omitted, the transport VR is assumed to be the same as the operational VR.
However, the tunnel source and destination are mandatory elements.
Transport VR Definition
The transport VR definition includes:
Transport virtual router name Name of the transport virtual router. If not
explicitly configured, the operational VR is assumed.
Tunnel source endpoint IP address or FQDN used as the tunnel source endpoint
on this end of the tunnel. In the case of signaled tunnels, the router monitors
and transmits on port 500 of this address for IKE negotiations. The tunnel source
endpoint must be a configured IP address or FQDN on the transport VR, or the
router indicates an error. See "Transport VR Definitions with an FQDN" on
page 133 for information about using an FQDN rather than an IP address.
Tunnel destination endpoint IP address or FQDN associated with the termination
or initiation point of the secure IP tunnel. This address must be routable within
the context of the transport VR. Each secure IP tunnel can have a different remote
IP address.
Transport VR Definitions with an FQDN
For signaled IPSec tunnels, you can use an FQDN instead of the IP address to specify
tunnel endpoints. You typically use this feature to identify the tunnel destination in
broadband and DSL environments in which the destination does not have a fixed IP
address. The remote device uses the FQDN to establish and authenticate the IPSec
connection, and then uses the actual IP address for rekeying and filtering operations.
The ERX router FQDN feature supports both preshared keys and digital certificates.
If it uses preshared keys, the router must use IKE aggressive mode to support FQDNs.
An identity string can include an optional user@ specification that precedes the
FQDN. The entire string can be a maximum of 80 characters. For example, both of
the following are supported:
branch245.customer77.isp.net
user4919@branch245.customer77.isp.net
With preshared key authentication, and when using the user@fqdn format, the router
searches for the key based on the entire identity string. If the router cannot find that
string, the router strips off the user@ part and performs a second search based on
the FQDN part of the string.
With digital certificates, the two sides of the tunnel must use the same identity format,
with or without the user@ specification; no stripping operation and no second search
occurs.
NOTE: The E Series router does not support FQDN-to-IP address resolution by DNS.
Chapter 5: Configuring IPSec
133
IPSec Concepts